GRC and Cloud Services By David Lingenfelter 2012
Background > MaaS360 SaaS Cloud Model > Mobile Device Management > FISMA Moderate Certified > SAS-70/SOC-2 > Member of the Cloud Security Alliance > Participant in NIST Cloud working groups
NIST Reference Architecture (SP500-292) * - Diagram from NIST SP500-292 Sep, 2011
Who s in Control in the Cloud? * - Diagram from NIST SP800-144 Dec 2011
Said Differently It Depends Provider SaaS Consumer PaaS IaaS * - Diagram from CSA Guidance 3.0 5
General Cloud Model Transparency * - CSA GRC presentation
Cloud Adoption Obstacles Traditional Enterprise strategy Business function (workload) adaptation to cloud delivery Technical architecture Network connections Application standards Interoperability Buying time for current compliance programs Maintenance Concept of Operations Neglected but Necessary IT and IT risk governance Traditional sourcing? Cloud? Private? Community? Public? Hybrid? Traditional + cloud? How measured? Security policy Uniform across all delivery methods? Cloud adjusted? Private? Community? Public? Hybrid? Risk/compliance management standards/benchmarks Cloud adjusted? Private? Community? Public? Hybrid?
Top Threats Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance, and the capture of real value Data: Leakage, Loss or Storage in unfriendly geography Insecure Cloud software Malicious use of Cloud services Account/Service Hijacking Malicious Insiders Cloud-specific attacks * Based on CSA risk response questionnaire
GRC * Diagram from CSA Guidance 3.0
NIST Publications > SP800-144 - Guidelines on Security and Privacy in Public Cloud Computing > SP800-145 NIST Definition of Cloud > SP500-291 - Cloud Computing Standards Roadmap > SP500-292 - Cloud Computing Reference Architecture > SP500-293 - US Government Cloud Computing Technology Roadmap > The list goes on
Cloud Security Alliance Guidance > Security Guidance v3.0 > Cloud Control Matrix (CCM) > Consensus Assessments Initiative (CAI) > Cloud Trust Protocol (CTP) > GRC Stack > Cloud Mobile > the list goes on
FedRAMP > Policy Memo > 3PAO Program Description > Security Controls > CONOPS > JAB Controls > more to come 12
Absent Transparency Some Big Problems Without transparency > No confirmed chain of custody for information > No way to conduct investigative forensics > Little confidence in the ability to detect attempts or occurrences of illegal disclosure > Little capability to discover or enforce configurations > No ability to monitor operational access or service management actions (e.g., change management, patch management, vulnerability management, )
Take care of the big rocks first Security Trust Control
Cloud Security Governance, Risk, and Compliance (GRC) Stack Delivering Stack Pack Description Cloud Trust Protocol Continuous monitoring with a purpose Cloud Audit Claims, offers, and the basis for auditing service delivery Consensus Assessments Initiative Pre-audit checklists and questionnaires to inventory controls Cloud Control Matrix The recommended foundations for controls Common technique and nomenclature to request and receive evidence and affirmation of current cloud service operating circumstances from cloud providers Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments Industry-accepted ways to document what security controls exist Fundamental security principles in specifying the overall security needs of a cloud consumers and assessing the overall security risk of a cloud provider
CSA GRC Value Equation Contributions for Consumers and Providers What control requirements should I have as a cloud consumer or cloud provider? Individually useful Collectively powerful Productive way to reclaim end-to-end information risk management capability How do I ask about the control requirements that are satisfied (consumer) or express my claim of control response (provider)? Static claims & assurances How do I announce and automate my claims of audit support for all of the various compliance mandates and control obligations? Dynamic (continuous) monitoring and transparency How do I know that the controls I need are working for me now (consumer)? How do I provide actual security and transparency of service to all of my cloud users (provider)?
Cloud Control Matrix V1.0 (Apr 2010), v1.1 (Dec 2010), v1.2 (Aug 2011), V1.3 (2012) Currently being reviewed V2.0 (2012) Controls baselined and mapped to: COBIT BITS Shared Assessments HIPAA/HITECH Act Jericho Forum ISO/IEC 27001-2005 NERC CIP NISTSP800-53 FedRAMP PCI DSSv2.0
What is the CCM? > First ever baseline control framework specifically designed for managing risk in the Cloud Supply Chain: Addressing the inter and intra-organizational challenges of persistent information security by clearly delineating control ownership. Providing an anchor point and common language for balanced measurement of security and compliance postures. Providing the holistic adherence to the vast and ever evolving landscape of global data privacy regulations and security standards. > Serves as the basis for new industry standards and certifications.
Consensus Assurance Initiative > A cloud supply chain risk management and due diligence questionnaire > ~ 200 yes/no questions that map directly to the CCM, and thus, in turn, to many industry standards. > can be used by both CSPs for self-assessment or by potential customers for the following purposes to identify the presence of security controls and practices for cloud offerings procurement negotiation contract inclusion to quantify SLAs > For potential customers, the CAIQ is intended to be part of an initial assessment followed by further clarifying questions of the provider as it is applicable to their particular needs.
Sample Questions Compliance - Independent Audits Data Governance - Classification CO-02 CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or similar third party audit reports? CO-02b - Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02c - Do you conduct application penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02d - Do you conduct internal audits regularly as prescribed by industry best practices and guidance? CO-02e - Do you conduct external audits regularly as prescribed by industry best practices and guidance? CO-02f - Are the results of the network penetration tests available to tenants at their request? CO-02g - Are the results of internal and external audits available to tenants at their request? DG-02 DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadata (ex. Tags can be used to limit guest operating systems from booting/instantiating/transporting data in the wrong country, etc.?) DG-02b - Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)? DG-02c - Do you have a capability to use system geographic location as an authentication factor? DG-02d - Can you provide the physical location/geography of storage of a tenant s data upon request? DG-02e - Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation?
CloudAudit Objectives > Provide a common interface and namespace that allows cloud computing providers to automate collection of Audit, Assertion, Assessment, and Assurance Artifacts (A6) of their operating environments > Allow authorized consumers of services and concerned parties to do likewise via an open, extensible and secure interface and methodology.
What CloudAudit Does > Provide a structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools. Define a namespace that can support diverse frameworks Express compliance frameworks in that namespace Define the mechanisms for requesting and responding to queries relating to specific controls Integrate with portals and AAA systems
Why a CloudTrust Protocol? Information Assurance is Cloud-Complicated Clouds are cloudy Requirements Amazon Services As visibility is lost > Where is the data? > Who can see the data? > Who has seen the data? Google > Is data untampered? > Where is processing performed? > How is processing configured? > Does backup happen? How? Where? Security, compliance, and value are lost as well Microsoft
Transparency Restores Information Assurance Working with a glass cloud delivers the elastic benefits of the cloud Requirements Amazon Services As visibility is gained Configurations are known and verified Data exposure and use is collected and reported Access permissions are discovered and validated Processing and data locations are exposed Compliance evidence can be gathered and analyzed Google Processing risks and readiness become known Security, compliance, and value are captured as well Microsof t
Thank You David Lingenfelter Email: dlingenfelter@fiberlink.com Twitter: @simply_security www.maas360.com www.cloudsecurityalliance.org www.nist.gov